From f88707df8806878a169449d8654e0b626898543b Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Fri, 23 Mar 2018 16:15:43 -0700 Subject: [PATCH] docs: xref ambient issuers in cluster-issuer docs --- docs/user-guides/cluster-issuers.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/user-guides/cluster-issuers.md b/docs/user-guides/cluster-issuers.md index 549fd63d3..2dc4acc0a 100644 --- a/docs/user-guides/cluster-issuers.md +++ b/docs/user-guides/cluster-issuers.md @@ -1,4 +1,6 @@ -# Creating cluster wide Issuers +# Cluster Issuers + +## Creating cluster wide Issuers cert-manager has the concept of `ClusterIssuers`. These are a non-namespaced and cluster-scoped version of an `Issuer`. The specification of a `ClusterIssuer` is exactly the same as that of an `Issuer`, but there are a couple of nuances you need to be aware of. @@ -28,6 +30,18 @@ spec: The two manifests above define two `ClusterIssuers`. As `ClusterIssuer` resources do not specify a namespace, we must configure a namespace that cert-manager will use to store supporting resources required for each `ClusterIssuer`. We do this by specifying the `--cluster-resource-namespace` flag on the cert-manager controller. By default, this flag will be set to `kube-system`. +## Securiy of Cluster Issuers + +It is assumed that cluster issuers may only be created by cluster administrators. + +## Ambient Credentials + +By default, a Cluster Issuer will be able to use 'ambient credentials' of the 'cert-manager' deployment for supported challenges. Currently, only the ACME DNS challenge validation makes use of ambient credentials. To learn more about this behavior, see the [ambient credentials][ambient-creds] document. + +To disable this behavior, either set `--cluster-issuer-ambient-credentials=false` on cert-manager, or alternately do not create any cluster issuers which define a `spec.acme.dns01.route53` object without any associated credentials. + +## Referencing Cluster Issuers + In order to reference a `ClusterIssuer` in a `Certificate` you must specify the `kind` in the `issuerRef` stanza. The following are two examples of `Certificates` that reference our `ClusterIssuers` above. ```yaml @@ -62,3 +76,6 @@ spec: domains: - nginx.k8s.io ``` + + +[ambient-creds]: ambient-credentials.md